BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 10-04-2007, 01:28 PM   #1 (permalink)
Knows Where the Search Button Is
 
pilotmike's Avatar
 
Join Date: Oct 2007
Location: Kansas City
Model: 8320
Carrier: T-Mobile
Posts: 19
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default 8320/8820 Enterprise Wi-Fi PEAP Support

Please Login to Remove!

Has anyone been successful getting Enterprise Wi-Fi setup on a 8320/8820 using PEAP security? We have been working with both Cisco and RIM the past several days but have had no luck so far -- cases are still pending from both vendors.

Here is our environment:

WLAN Hardware:
Cisco Wireless LAN Controllers
Cisco Aironet 1000 Series Lightweight Access Points

Authentication/Security:
802.1X to Microsoft IAS RADIUS server (Windows Server 2003 SP1) authenticating against Active Directory (AD)
Authetication-Type: PEAP
EAP-Type: EAP-MSCHAP v2
Server Certificate: CA Signed certificate from VeriSign Class 3 Secure Server CA

We had to load the VeriSign Class 3 Secure Server CA certificate on the BB devices (8320 & 8820), but we have a valid certificate chain and have confirmed the certificates by their serial numbers.

BlackBerry Wi-Fi Device setup:
Security Type: PEAP
Username: <username>
Password: <password>
CA Certificate: VeriSign Class 3 Secure Server CA
Inner link security: EAP-MS-CHAP v2
Server Subject: wifisecurity.example.com
Server SAN: <blank>

Both the 8820 from AT&T and the 8320 from T-Mobile are failing. We are seeing some interesting stuff on the wireless sniffer, but was interested if anyone else has gotten PEAP to work successfully on these devices.
Offline  
Old 10-06-2007, 11:37 PM   #2 (permalink)
New Member
 
Join Date: Nov 2005
Model: 7290
Carrier: Tmobile
Posts: 5
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

What does the error say on the BB? (Options - Wi-Fi Connections-Menu-Wi-Fi Diagnostics, change the display mode to Advanced)

Can you share what the IAS log says when it fails?

Are the user's credentials successful when using the same on a laptop?
Offline  
Old 10-07-2007, 10:51 PM   #3 (permalink)
Knows Where the Search Button Is
 
pilotmike's Avatar
 
Join Date: Oct 2007
Location: Kansas City
Model: 8320
Carrier: T-Mobile
Posts: 19
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Below is a sample of what we see in the IAS logs for these BlackBerry 8320 and 8820 users. This particular user works fine on a laptop or on a Windows Mobile 6 device (ie: T-Mobile Dash).

User <USER> was denied access.
Fully-Qualified-User-Name = example.com/Users-Developer/<USER>
NAS-IP-Address = 10.123.30.11
NAS-Identifier = WLC-1
Called-Station-Identifier = 00-0B-85-XX-XX-XX:wlan
Calling-Station-Identifier = 00-1C-CC-1C-XX-XX
Client-Friendly-Name = WLC-1
Client-IP-Address = 10.123.30.11
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Authentication - Allow
Authentication-Type = PEAP
EAP-Type = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.


The above info tells me the encrypted password portion of the authentication is not occurring because IAS can not determine the EAP type.

We next turned to a wireless sniffer to compare a Windows XP host with a BlackBerry 8320/8820. The only difference in the authentication process is that the BlackBerry device(s) respond with a SSL/TLS encryption error after the certificate is sent from the RADIUS server. Basically the PEAP process starts, the username get passed, and the IAS (RADIUS) server sends the certificate information for the SSL/TLS encryption. Once the last certificate packet is acked, the BlackBerry responds with SSL/TLS encryption failure and is then DeAuthed from the Access Point.

In the advanced Wi-Fi diagnostic tool on both BlackBerry devices it indicates a W010 Error: Wifi Association Failed.

I am down to two theories as to root cause at this time:
  1. BlackBerry 802.1X supplicant problem
  2. PEAP Misconfiguraiton on the BlackBerry devices
Another thing we tried was modifying the 'Server Subject' field format on the BlackBerry devices putting the fully qualified subject name of our server certificate (ie: CN=wifisecurity.example.com,OU=IT,O=Company, etc) but no change -- same errors. RIM support has indicated this field only needs to be populated with the hostname on the certificate (ie: wifisecurity.example.com or also known as the certificate "friendly name"). It was worth a shot...

Cisco TAC has also come back after analyzing our logs and sniffer traces and believes, at this time, the issue is with the BlackBerry device(s).

We really wish we could share our findings with some RIM engineers or developers. Someone somewhere knows what is going on or how to collect more detailed debugging information from the BlackBerry 802.1X supplicant.

Last edited by pilotmike : 10-07-2007 at 10:53 PM.
Offline  
Old 10-10-2007, 10:06 AM   #4 (permalink)
Knows Where the Search Button Is
 
pilotmike's Avatar
 
Join Date: Oct 2007
Location: Kansas City
Model: 8320
Carrier: T-Mobile
Posts: 19
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

We worked with RIM for several hours yesterday and had a really good customer support rep. RIM has started to ask us good questions, unfortunately, no breakthrough type stuff yet.

Our plan for today is to work with an escalation manager contact at RIM and see if we can get some development or engineering resources (normal customer support reps to not have access to these resources) to at least look at our wireless packet capture. We know that the PEAP process is breaking when the BlackBerry sends back a TLS decrypt error after the certificate is sent from the IAS (RADIUS) Server.

Looks like others in an 802.1X PEAP MS-CHAP v2 WiFi environment are starting to post of problems in other forums too. I knew we could not be the only ones having this issue...

Wi fi conncetion problem with 8820 - RIM BlackBerry Wireless Forums
Offline  
Old 10-13-2007, 04:27 PM   #5 (permalink)
Knows Where the Search Button Is
 
Join Date: Sep 2007
Model: 8820
PIN: N/A
Carrier: AT&T
Posts: 16
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hmm. I was able to get both an 8820 and 8320 working on our wifi network at the office. We also use PEAP and radius security. I also had to add a certificate to both bb's b/c the default ones don't match what we are running. That is the only extra thing I had to add. In your setting you indicate a server subject. I don't have anything entered for mine so have you tried eliminating that? Sorry wish I could offer more.

Quote:
Originally Posted by pilotmike View Post
Has anyone been successful getting Enterprise Wi-Fi setup on a 8320/8820 using PEAP security? We have been working with both Cisco and RIM the past several days but have had no luck so far -- cases are still pending from both vendors.

Here is our environment:

WLAN Hardware:
Cisco Wireless LAN Controllers
Cisco Aironet 1000 Series Lightweight Access Points

Authentication/Security:
802.1X to Microsoft IAS RADIUS server (Windows Server 2003 SP1) authenticating against Active Directory (AD)
Authetication-Type: PEAP
EAP-Type: EAP-MSCHAP v2
Server Certificate: CA Signed certificate from VeriSign Class 3 Secure Server CA

We had to load the VeriSign Class 3 Secure Server CA certificate on the BB devices (8320 & 8820), but we have a valid certificate chain and have confirmed the certificates by their serial numbers.

BlackBerry Wi-Fi Device setup:
Security Type: PEAP
Username: <username>
Password: <password>
CA Certificate: VeriSign Class 3 Secure Server CA
Inner link security: EAP-MS-CHAP v2
Server Subject: wifisecurity.example.com
Server SAN: <blank>

Both the 8820 from AT&T and the 8320 from T-Mobile are failing. We are seeing some interesting stuff on the wireless sniffer, but was interested if anyone else has gotten PEAP to work successfully on these devices.
Offline  
Old 10-13-2007, 11:44 PM   #6 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2007
Model: 8820
PIN: N/A
Carrier: at&t
Posts: 116
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Wesly, in my case there is no server certificate (none is required by Windows when I connect via my notebook), it seems that the BB does not allow this scenario (PEAP without a certificate) :(
Offline  
Old 10-14-2007, 09:26 PM   #7 (permalink)
Knows Where the Search Button Is
 
pilotmike's Avatar
 
Join Date: Oct 2007
Location: Kansas City
Model: 8320
Carrier: T-Mobile
Posts: 19
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

We did try blanking the server subject out and we also tried to load the server cert in addition to the intermediate CA cert on the BB, but with no luck.

Still nothing back from the RIM escalation team, but hope to hear something tomorrow...
Offline  
Old 10-14-2007, 09:33 PM   #8 (permalink)
Knows Where the Search Button Is
 
pilotmike's Avatar
 
Join Date: Oct 2007
Location: Kansas City
Model: 8320
Carrier: T-Mobile
Posts: 19
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ixtab View Post
Wesly, in my case there is no server certificate (none is required by Windows when I connect via my notebook), it seems that the BB does not allow this scenario (PEAP without a certificate) :(
I was my understanding that PEAP without a certificate was LEAP? Am I wrong about that?

In our environment PEAP uses a server certificate for the password encryption (SSL/TLS) between client and RAIDUS server.

Wi-Fi security is so much "fun"...
Offline  
Old 10-15-2007, 09:15 PM   #9 (permalink)
New Member
 
Join Date: Oct 2007
Model: 8320
PIN: N/A
Carrier: t-mobile
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Im also having problems with this. First of all how do i even get the certification on to the blackberry.
hopefully this gets solved

thanks for your effort
Offline  
Old 10-15-2007, 09:24 PM   #10 (permalink)
Knows Where the Search Button Is
 
Join Date: May 2006
Model: 9700
Carrier: AT&T
Posts: 23
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by stawBerry View Post
Im also having problems with this. First of all how do i even get the certification on to the blackberry.
hopefully this gets solved

thanks for your effort

I got my 8820 working today. I had to install the certificate on the BB. Once it was there, PEAP worked like a charm.
1. Install desktop manager
2. Make sure you install certificate sync
3. launch BBDM
4. Launch cert sync
5. Choose what cert you need
6. sync them.
7. run through WI-FI setup again and you should be connected!!
Offline  
Old 10-15-2007, 11:29 PM   #11 (permalink)
New Member
 
Join Date: Oct 2007
Model: 8320
PIN: N/A
Carrier: t-mobile
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you i had not installed the cert syn. Now i am just getting w010 failures
Offline  
Old 11-09-2007, 04:42 PM   #12 (permalink)
Knows Where the Search Button Is
 
pilotmike's Avatar
 
Join Date: Oct 2007
Location: Kansas City
Model: 8320
Carrier: T-Mobile
Posts: 19
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Sorry for not keeping this thread current but not much progress over the past month. Our case with RIM has been sent on to the senior developers now who are working with some WLAN specific developers. I suspect we have bug in the BB OS because if this were a simple misconfiguration issue we'd not have this case to this level at RIM.

I'll keep everyone posted.
Offline  
Old 11-14-2007, 03:27 AM   #13 (permalink)
New Member
 
BlackRabbit's Avatar
 
Join Date: Nov 2007
Location: France
Model: 9000
PIN: N/A
Carrier: Orange
Posts: 12
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi,

just to let you konw you are not alone with this issue

I am in the same configuration : Cisco - LWAP - IAS Radius - AD
WPA2 - EAP-TLS - PEAP - MS Chap v2
My certificate is a Thawte SGC CA
After uploaded it on my terminal, got the same logs on my radius :
EAP-Type = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.


Wait news from RIM...
__________________
_________________________________________
BlackRabbit.fr Mobility French Blog
Offline  
Old 11-14-2007, 08:53 AM   #14 (permalink)
Thumbs Must Hurt
 
ashleyneiltaylor's Avatar
 
Join Date: May 2005
Location: London UK
Model: 9900
OS: 7.1.0.213
Carrier: Vodafone
Posts: 164
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I had a problem setting up my 8120 today.

We are using PEAP and found that you do indeed require the Intermediate Certificate on your Blackberry and it is this certificate you select for CA Certificate in the options.

Selecting the CARoot certificate did not work.
Offline  
Old 11-15-2007, 03:42 AM   #15 (permalink)
New Member
 
BlackRabbit's Avatar
 
Join Date: Nov 2007
Location: France
Model: 9000
PIN: N/A
Carrier: Orange
Posts: 12
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ashleyneiltaylor View Post
We are using PEAP and found that you do indeed require the Intermediate Certificate on your Blackberry and it is this certificate you select for CA Certificate in the options.
Selecting the CARoot certificate did not work.
We used the intermediate certificate too, but it doesn't help.

Oh, we use 8820 4.2.2.124 (2.4.0.58)
Offline  
Old 11-15-2007, 06:40 AM   #16 (permalink)
Thumbs Must Hurt
 
ashleyneiltaylor's Avatar
 
Join Date: May 2005
Location: London UK
Model: 9900
OS: 7.1.0.213
Carrier: Vodafone
Posts: 164
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

We are using Nortel Access Points with IAS. Without the correct certificate, it wouldn't even associate with an AP and you didn't get any logs on the IAS.

Because we don't broadcast our SSID, I have configured it the WLAN configuration on the BES.

Config is as follows

WLAN Link Security EAP-PEAP
WLAN SSID ****WLANNet
WLAN User Name bbwlanuser@*****
WLAN User Password ********
WLAN DHCP Configuration True
WLAN Inner Authentication Mode EAP-MSCHAPV2

The * is to blank at corporate names. All we then had to do was sync the certificates (Intermediate and Root because we use our own Certificate Authority)

Then set the profile to use the intermediate and that's all. If this doesn't work for you, I'd check the APs and Radius settings.
Offline  
Old 11-19-2007, 11:04 AM   #17 (permalink)
Knows Where the Search Button Is
 
pilotmike's Avatar
 
Join Date: Oct 2007
Location: Kansas City
Model: 8320
Carrier: T-Mobile
Posts: 19
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default RIM discovers root cause for this issue

We got an update from BlackBerry support on this issue this morning. Their senior development team discovered that the issue is with the signature algorithm that is used on the VeriSign root certificate.

The VeriSign root certificate (VeriSign Class 3 Public Primary CA in our environment) uses MD2 with RSA encryption for the signature algorithm and MD2 is not supported in any BlackBerry OS at this time.

I think it would be safe to say that if any CA in your cert chain uses md2RSA as a signature algorithm, your authentication would be broken in the BlackBerry OS. (See attachment for sample certificate screenshot)

RIM has logged "bug" in their development tracking system, but so far has not committed a specific BB OS version for the fix.

We'll keep on top of this and keep you all posted.
Attached Thumbnails
8320/8820 Enterprise Wi-Fi PEAP Support-md2rsa.jpg  
Offline  
Old 11-19-2007, 03:52 PM   #18 (permalink)
New Member
 
Join Date: Nov 2007
Model: 8820
PIN: N/A
Carrier: AT&T
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by pilotmike View Post
The VeriSign root certificate (VeriSign Class 3 Public Primary CA in our environment) uses MD2 with RSA encryption for the signature algorithm and MD2 is not supported in any BlackBerry OS at this time.

I think it would be safe to say that if any CA in your cert chain uses md2RSA as a signature algorithm, your authentication would be broken in the BlackBerry OS.
That explains my issue.
Keep us updated!


thanks
Mike
Offline  
Old 11-21-2007, 11:16 AM   #19 (permalink)
New Member
 
BlackRabbit's Avatar
 
Join Date: Nov 2007
Location: France
Model: 9000
PIN: N/A
Carrier: Orange
Posts: 12
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

thanks, same configuration here. Our Thawte certificate is trusted by the same Verisign C3 md2RSA cert...
__________________
_________________________________________
BlackRabbit.fr Mobility French Blog
Offline  
Old 12-18-2007, 06:17 PM   #20 (permalink)
New Member
 
Join Date: Nov 2007
Model: 8820
PIN: N/A
Carrier: AT&T
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Any word on a resolution to this?


Mike
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.